`fac914c`

Track relative bash audit paths

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 1 week ago

SHA: fac914c41aacb468f2ecd6adfebb2aabd42cd5cf
Parents: 9c5b609
Tree: 7d1f567

2 changed files

Status	File	+	-
M	`src/loader/runtime/hooks.py`	50	9
M	`tests/test_permissions.py`	135	0

src/loader/runtime/hooks.pymodified

          return False
      if any(fragment in normalized for fragment in _MUTATING_BASH_FRAGMENTS):
          return False
 -    try:
 -        argv = shlex.split(normalized)
 -    except ValueError:
 -        return False
 +    argv, _ = _extract_bash_command_context(normalized)
      if not argv:
          return False
      return argv[0] in _READ_ONLY_BASH_PREFIXES
  def _extract_bash_paths(command: str) -> list[str]:
 -    try:
 -        argv = shlex.split(command)
 -    except ValueError:
 +    argv, base_dir = _extract_bash_command_context(command)
 +    if not argv:
          return []
      observed: list[str] = []
      for token in argv[1:]:
              continue
          if candidate.startswith(("/", "~")):
              observed.append(candidate)
 +            continue
 +        if base_dir and (
 +            "/" in candidate
 +            or candidate.startswith(("./", "../"))
 +            or candidate in {".", ".."}
 +        ):
 +            observed.append(str(base_dir / candidate))
 +    if not observed and base_dir is not None:
 +        observed.append(str(base_dir))
      return observed
 +def _extract_bash_command_context(command: str) -> tuple[list[str], Path | None]:
 +    try:
 +        argv = shlex.split(command)
 +    except ValueError:
 +        return [], None
 +    if not argv:
 +        return [], None
 +    base_dir = _extract_bash_base_dir(argv)
 +    if base_dir is None:
 +        return argv, None
 +    if len(argv) >= 4 and argv[2] in {"&&", ";"}:
 +        return argv[3:], base_dir
 +    return argv, base_dir
++
++
 +def _extract_bash_base_dir(argv: list[str]) -> Path | None:
 +    if len(argv) < 2 or argv[0] != "cd":
 +        return None
 +    candidate = argv[1].strip()
 +    if not candidate:
 +        return None
 +    if not candidate.startswith(("/", "~")):
 +        return None
 +    try:
 +        return Path(candidate).expanduser()
 +    except (OSError, RuntimeError, ValueError):
 +        return None
++
++
  def _derive_search_anchor(search_path: str, pattern: str) -> str:
      normalized_search_path = str(search_path or "").strip()
      normalized_pattern = str(pattern or "").strip()
      return argv[0] in {"touch", "mkdir", "rm", "mv", "cp", "chmod", "chown"}
 +def _tool_call_is_effective_mutation(tool_call: ToolCall) -> bool:
 +    if tool_call.name != "bash":
 +        return tool_call.name in _MUTATION_TOOLS
 +    command = str(tool_call.arguments.get("command", "")).strip()
 +    return _is_mutating_bash(command)
++
++
  def _repair_declared_output_paths(repair: Any, *, project_root: Path) -> set[str]:
      declared_outputs: set[str] = set()
      for root in getattr(repair, "allowed_roots", ()) or ():
      async def post_tool_use(self, context: HookContext) -> HookResult:
          if context.source == "verification":
              return HookResult()
 -        if context.tool_call.name in _MUTATION_TOOLS:
 +        if _tool_call_is_effective_mutation(context.tool_call):
              self._reset_source_of_truth_scope()
              return HookResult()
          if context.tool_call.name not in _OBSERVATION_TOOLS:
          return False
      async def post_tool_use(self, context: HookContext) -> HookResult:
 -        if context.tool_call.name in _MUTATION_TOOLS:
 +        if _tool_call_is_effective_mutation(context.tool_call):
              self._reset_completed_scope_state()
              return HookResult()
          if context.tool_call.name not in _OBSERVATION_TOOLS:

tests/test_permissions.pymodified

      assert "post-build audit loop" in blocked.message
 +@pytest.mark.asyncio
 +async def test_late_reference_drift_hook_blocks_relative_bash_reference_reads_after_artifacts_exist(
 +    temp_dir: Path,
 +) -> None:
 +    registry = create_default_registry(temp_dir)
 +    policy = build_permission_policy(
 +        active_mode=PermissionMode.WORKSPACE_WRITE,
 +        workspace_root=temp_dir,
 +        tool_requirements=registry.get_tool_requirements(),
 +    )
 +    dod_store = DefinitionOfDoneStore(temp_dir)
 +    dod = create_definition_of_done("Create a multi-file guide from a reference")
 +    dod.status = "in_progress"
 +    plan_path = temp_dir / "implementation.md"
 +    plan_path.write_text(
 +        "\n".join(
 +            [
 +                "# Implementation Plan",
 +                "",
 +                "## File Changes",
 +                f"- `{temp_dir / 'guide'}`",
 +                f"- `{temp_dir / 'guide' / 'chapters'}`",
 +                f"- `{temp_dir / 'guide' / 'index.html'}`",
 +                f"- `{temp_dir / 'guide' / 'chapters' / '01-getting-started.html'}`",
 +                f"- `{temp_dir / 'guide' / 'chapters' / '02-installation.html'}`",
 +                "",
 +            ]
 +        )
 +    )
 +    dod.implementation_plan = str(plan_path)
 +    guide_dir = temp_dir / "guide" / "chapters"
 +    guide_dir.mkdir(parents=True, exist_ok=True)
 +    (temp_dir / "guide" / "index.html").write_text("index")
 +    (guide_dir / "01-getting-started.html").write_text("one")
 +    (guide_dir / "02-installation.html").write_text("two")
 +    dod_path = dod_store.save(dod)
 +    session = FakeSession(active_dod_path=str(dod_path), messages=[])
 +    hook = LateReferenceDriftHook(
 +        dod_store=dod_store,
 +        project_root=temp_dir,
 +        session=session,
 +    )
++
 +    result = await hook.pre_tool_use(
 +        HookContext(
 +            tool_call=ToolCall(
 +                id="bash-relative-reference-1",
 +                name="bash",
 +                arguments={
 +                    "command": f"cd {temp_dir} && ls -la reference/"
 +                },
 +            ),
 +            tool=registry.get("bash"),
 +            registry=registry,
 +            permission_policy=policy,
 +            source="verification",
 +        )
 +    )
++
 +    assert result.decision == HookDecision.DENY
 +    assert result.terminal_state == "blocked"
 +    assert result.message is not None
 +    assert "completed artifact set scope" in result.message
++
++
 +@pytest.mark.asyncio
 +async def test_late_reference_drift_hook_blocks_relative_bash_post_build_audit_loop(
 +    temp_dir: Path,
 +) -> None:
 +    registry = create_default_registry(temp_dir)
 +    policy = build_permission_policy(
 +        active_mode=PermissionMode.WORKSPACE_WRITE,
 +        workspace_root=temp_dir,
 +        tool_requirements=registry.get_tool_requirements(),
 +    )
 +    dod_store = DefinitionOfDoneStore(temp_dir)
 +    dod = create_definition_of_done("Create a multi-file guide from a reference")
 +    dod.status = "in_progress"
 +    plan_path = temp_dir / "implementation.md"
 +    plan_path.write_text(
 +        "\n".join(
 +            [
 +                "# Implementation Plan",
 +                "",
 +                "## File Changes",
 +                f"- `{temp_dir / 'guide' / 'index.html'}`",
 +                f"- `{temp_dir / 'guide' / 'chapters' / '01-getting-started.html'}`",
 +                f"- `{temp_dir / 'guide' / 'chapters' / '02-installation.html'}`",
 +                "",
 +            ]
 +        )
 +    )
 +    dod.implementation_plan = str(plan_path)
 +    guide_dir = temp_dir / "guide" / "chapters"
 +    guide_dir.mkdir(parents=True, exist_ok=True)
 +    (temp_dir / "guide" / "index.html").write_text("<h1>Guide</h1>\n")
 +    (guide_dir / "01-getting-started.html").write_text("<h1>One</h1>\n")
 +    (guide_dir / "02-installation.html").write_text("<h1>Two</h1>\n")
 +    dod_path = dod_store.save(dod)
 +    session = FakeSession(active_dod_path=str(dod_path), messages=[])
 +    hook = LateReferenceDriftHook(
 +        dod_store=dod_store,
 +        project_root=temp_dir,
 +        session=session,
 +    )
++
 +    def make_context(index: int) -> HookContext:
 +        return HookContext(
 +            tool_call=ToolCall(
 +                id=f"bash-relative-audit-{index}",
 +                name="bash",
 +                arguments={
 +                    "command": f"cd {temp_dir} && ls -la guide/chapters/"
 +                },
 +            ),
 +            tool=registry.get("bash"),
 +            registry=registry,
 +            permission_policy=policy,
 +            source="verification",
 +        )
++
 +    for index in range(1, 5):
 +        context = make_context(index)
 +        result = await hook.pre_tool_use(context)
 +        assert result.decision == HookDecision.CONTINUE
 +        await hook.post_tool_use(context)
++
 +    blocked = await hook.pre_tool_use(make_context(5))
++
 +    assert blocked.decision == HookDecision.DENY
 +    assert blocked.terminal_state == "blocked"
 +    assert blocked.message is not None
 +    assert "post-build audit loop" in blocked.message
++
++
  @pytest.mark.asyncio
  async def test_late_reference_drift_hook_does_not_treat_empty_output_dir_as_complete_artifact_set(
      temp_dir: Path,